<!DOCTYPE html>
<html>

  <head>
    <meta charset='utf-8' />
    <meta http-equiv="X-UA-Compatible" content="chrome=1" />
    <meta name="description" content="CAS - Single Sign-On for the Web" />
    
    
    <link rel="stylesheet" type="text/css" media="screen"
          href="../../stylesheets/v40x-stylesheet.css">
    <link rel="stylesheet" type="text/css" media="print"
          href="../../stylesheets/print.css">
    <title>CAS - CAS Protocol</title>
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
    <script src="../../javascripts/URI.js"></script>
    <script src="../../javascripts/v40x-main.js"></script>
  </head>

  <body>
    <!-- HEADER -->
    <div id="header_wrap" class="outer">
        <header class="inner">
          <a id="forkme_banner" href="https://github.com/Jasig/cas">View on GitHub</a>
          <div id="project_title">
            <a class="undecorated" href="../../index.html">
              <img class="undecorated" src="../../images/cas_logo.png"/>
            </a>
          </div>
          <h2 id="project_tagline">Single Sign-On for the Web</h2>
        </header>
    </div>

    <!-- NAVBAR -->    
    <div id="navbar_wrap" class="outer">
      <header id="navbar_content" class="inner">
        <div class="navlink">
  <a href="../../index.html">Home</a>
</div>
<div class="navlink">
  <a href="https://github.com/Jasig/cas/releases">Downloads</a>
</div>
<div class="navlink">
  <a href="https://www.google.com/cse/publicurl?cx=017040929083740828958:sqr2hwvrxmg">Search</a>
</div>
<div class="navlink">
  <a href="../../Support.html">Support</a>
</div>
<div class="navlink">
  <a href="../../Mailing-Lists.html">Mailing Lists</a>
</div>
<div class="navlink">
  <a href="../../Older-Versions.html">Older Versions</a>
</div>

        </header>
    </div>

      <!-- SIDEBAR -->
      <div id="sidebar_wrap" class="outer">
        <header id="sidebar_content" class="inner">
          <span id="sidebartoc"></span>
        </header >
      </div>
      
      <!-- PAGE TABLE OF CONTENTS -->
      <div id="table_contents" class="outer">
        <header id="sidebar_content" class="inner">
          <span id="tableOfContents"></span>
        </header>
      </div>
      
      <!-- MAIN CONTENT -->
      <div id="main_content_wrap" class="outer">
        <section id="main_content" class="inner">
          <h1 id="cas-protocol">CAS protocol</h1>
<p>The CAS protocol is a simple and powerful ticket-based protocol developed exclusively for CAS. A complete protocol specification may be found at <a href="http://www.jasig.org/cas/protocol">http://www.jasig.org/cas/protocol</a>.</p>

<p>It involves one or many clients and one server.<br />
Clients are embedded in <em>cassified</em> applications (called “CAS services”) whereas the CAS server is a standalone component:
- the <a href="../installation/Configuring-Authentication-Components.html">CAS server</a> is responsible for authenticating users and granting accesses to applications
- the <a href="../integration/CAS-Clients.html">CAS clients</a> protect the CAS applications and retrieve the identity of the granted users from the CAS server.</p>

<p>The key concepts are:
- the TGT (Ticket Granting Ticket), stored in the CASTGC cookie, represents a SSO session for a user
- the ST (Service Ticket), transmitted as a GET parameter in urls, stands for the access granted by the CAS server to the <em>cassified</em> application for a specific user.</p>

<h2 id="versions">Versions</h2>
<p>The current CAS protocol is the <a href="https://github.com/Jasig/cas/blob/master/cas-server-protocol/3.0/cas_protocol_3_0.md">version 3.0</a>, implemented by the CAS server 4.0.<br />
It’s mainly a capture of the most common enhancements built on top of the CAS protocol revision 2.0.<br />
Among all features, the most noticable update between versions 2.0 and 3.0 is the ability to return the authentication/user attributes in the <code>/serviceValidate</code> response.</p>

<h2 id="web-flow-diagram">Web flow diagram</h2>

<p><a href="../images/cas_flow_diagram.png" target="_blank"><img src="../images/cas_flow_diagram.png" alt="CAS Web flow diagram" title="CAS Web flow diagram" /></a></p>

<h2 id="proxy-web-flow-diagram">Proxy web flow diagram</h2>
<p>One of the most powerful feature of the CAS protocol is the ability for a CAS service to act as a proxy for another CAS service, transmitting the user identity.</p>

<p><a href="../images/cas_proxy_flow_diagram.jpg" target="_blank"><img src="../images/cas_proxy_flow_diagram.jpg" alt="CAS Proxy web flow diagram" title="CAS Proxy web flow diagram" /></a></p>

<h2 id="other-protocols">Other protocols</h2>
<p>Even if the primary goal of the CAS server is to implement the CAS protocol, other protocols are also supported as extensions:
- <a href="../protocol/OpenID-Protocol.html">OpenID</a>
- <a href="../protocol/OAuth-Protocol.html">OAuth</a>
- <a href="../protocol/SAML-Protocol.html">SAML</a></p>

<hr />

<h1 id="delegated-authentication">Delegated Authentication</h1>
<p>Using the CAS protocol, the CAS server can also be configured to <a href="../integration/Delegate-Authentication.html">delegate the authentication</a> to another CAS server.</p>


        </section>
      </div>

    <!-- FOOTER  -->
    <div id="footer_wrap" class="outer">
      <footer class="inner">
        <p>CAS is supported by the <a href="http://www.apereo.org/">Apereo Foundation</a>.</p>
      </footer>
    </div>
  </body>
</html>
